Last month saw early buzz in the privacy community with the first US companies electing to self-certify under the new European Union – United States Privacy Shield framework.
This framework has been long anticipated by highly visible companies with large stores of regulated data. Although it’s still early days, the framework is being touted as a “new valuable tool for cross-border data transfers.” In terms of well-publicized adoption of the framework, Microsoft is already certified on the Privacy Shield List, and Google announced their submission for certification earlier this week.
This week, RADAR received word that our submission to certify with the EU-US Privacy Shield Framework has been approved and you can now find us listed as an active participant on the Privacy Shield List. This certification was one of my first initiatives since joining the RADAR team, and I’m gratified to have helped our company meet the compliance requirements.
What is Privacy Shield?
Privacy Shield is an international agreement that replaces the invalidated Safe Harbor framework, which was considered by many to be weak when it came to compliance and enforcement. Under Safe Harbor, self-certification was not overseen by a compliance team, and privacy notices were not required to subject an organization to resolution mechanisms like arbitration and oversight by the Federal Trade Commission. Under Privacy Shield, an organization must, among other things:
- Ensure that the company’s privacy notice conforms with the Privacy Shield Principles.
- Identify and submit to an independent recourse mechanism, such as the E.U. Data Protection Authority Panel (DPA).
- Include a statement that indicates that the organization is subject to the jurisdiction of the Federal Trade Commission or Department of Transportation.
- Include a statement that the organization will agree to arbitrate disputes.
Why We Joined the EU-US Privacy Shield Framework
Participating in the EU-US Privacy Shield makes sense for RADAR, as our company is entrusted with assessing privacy incidents and providing decision guidance surrounding notification requirements. Given RADAR’s use in assessing privacy and security incidents, we thought it imperative that our company be among the early adopters to register under Privacy Shield.
As our company and our customers’ businesses expand, we want to acknowledge that Europe’s laws and principles are respected by our company and our software. RADAR is not only be a tool for United States law compliance – we are also adapting our risk assessment engine to address the GDPR and other regulatory guidance to provide decision support with respect to European data breach obligations.
As the privacy officer at a company working to simplify compliance for our customers, it’s important to us that we at RADAR don’t just talk the talk, but we also ‘walk the walk.’ One of our company values is integrity. Our customers place great trust in us, and being certified in the Privacy Shield program is an important step in continuing to earn this trust because it demonstrates our commitment to the privacy rights of our customers, their employees, and their own customers.
On the Fence for Certification? Weigh the Pros and Cons
US companies aren’t required to sign up for the Privacy Shield, and the work required to ensure compliance with the framework can be cumbersome. Deciding to join this program means considering the following:
Cons: From a legal perspective, companies may hesitate in certifying with Privacy Shield because in one way it causes a company to ‘stick its neck out,’ in that a publicly posted and compliant privacy notice is likely to waive potential legal defenses such as lack of jurisdiction, international conflicts of laws, venue, and other ways of avoiding liability.
Pros: Companies receiving the certification are provided with a mechanism for demonstrating compliance with the upcoming General Data Privacy Regulation (GDPR), which will take effect summer of 2018. The GDPR will provide some clarity and harmony between the laws in different countries in the E.U., but will also bring stringent requirements, including the requirement to notify data protection authorities of any data breach that poses a “high risk to the rights and freedoms of natural persons.” This language in the GDPR is so broad that many lawyers doubt that anyone could provide advice that would ensure complete compliance. For that reason, Privacy Shield has been closely tracked by highly visible big data companies, such as Microsoft (which has already certified), in order provide a path to compliance.
Only considering legal reasons for compliance is short-sighted. A business and software that provides compliance support must go beyond minimum legal requirements in order to gain the trust of its customers. When you’re working to build long-term, supportive, and collaborative relationships with customers, this certification can be a strong statement of your commitment to compliance.
Lessons Learned in the Certification Process
1. Aligning Company Values with Privacy Shield Principles
In leading the charge for the RADAR certification, I had a difficult time finding reliable examples from which to work. A privacy notice should not be a cookie-cutter exercise. For the purposes of this certification, and in an effort to strongly adhere to the Privacy Shield Principles, we drafted a RADAR Privacy Notice that was based entirely around the principles, categorizing many of the statements you have probably seen in other privacy notices or privacy policies under the various principles to ensure each principle was addressed directly.
2. Gain Internal Buy In Through Education
A last step in fully adopting this framework within our company was educating the company and as to what RADAR was promising to further ensure our external promises matched our internal practices in every respect. This exercise – aligning our company’s values, our internal privacy framework, and the Privacy Shield Principles, underscores the fact that you are not simply checking a box, but are fully committing to the principles of compliance.
3. Quick, Painless – and Certainly Worth Your While
The self-certification program offered by the Department of Commerce Privacy Shield team is relatively straightforward. We were able to register for dispute resolution with the EU DPA and submit our application online. The Department of Commerce responded within one business day with relevant comments, and after submitting a couple minor revisions, the application was approved the same day.
I highly recommend that American companies join the Privacy Shield program and go through the complete exercise of assessing internal policies and getting feedback from appropriate stakeholders. This process can strengthen an organization internally, help shore up your company’s culture of compliance, and align your privacy values with international standards. This work is important to the long term health of an organization.